B324: hashlib

B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib

This plugin checks for the usage of the insecure MD4, MD5, or SHA1 hash functions in hashlib. The hashlib.new function provides the ability to construct a new hashing object using the named algorithm. This can be used to create insecure hash functions like MD4 and MD5 if they are passed as algorithm names to this function.

For Python versions prior to 3.9, this check is similar to B303 blacklist except that this checks for insecure hash functions created using hashlib.new function. For Python version 3.9 and later, this check does additional checking for usage of keyword usedforsecurity on all function variations of hashlib.

Example:

>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for
   security. Consider usedforsecurity=False
   Severity: High   Confidence: High
   CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
   Location: examples/hashlib_new_insecure_functions.py:3:0
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b324_hashlib.html
2
3   hashlib.new('md5')
4

See also

• https://cwe.mitre.org/data/definitions/327.html

New in version 1.5.0.

Changed in version 1.7.3: CWE information added